New Data Breach Notification Laws in Effect in Three States

Companies in Texas, Illinois, and Oregon have new notification obligations if they experience a data breach, under amendments to state laws that went into effect on January 1. All 50 states and the District of Columbia require companies to notify people of security breaches of personal information, but states have been updating data breach notice statutes in recent years to broaden the definition of personal information and change requirements for when and how to notify affected individuals or the state attorney general. Texas now requires businesses to notify affected individuals within 60 days of determining a breach occurred, rather than notifying them “as quickly as possible,” which was the case under the previous law. The state also added an obligation to notify the attorney general if the breach involves at least 250 residents and creates a privacy protection council that will make recommendations for future state privacy laws by September 1, 2020. The Oregon law extends some data breach notice obligations to vendors and expands the definition of personal information to include information used to access an online account. And Illinois requires “data collectors” to notify the state attorney general for breaches affecting more than 500 of its residents. Read the article at Bloomberg Law.